First, a few excerpts from Marc’s thoughtful conclusions, followed by my own analysis and perspective on the bigger picture to attempt to put it into context for both IT professionals and everybody else:

Does this mean TouchID is flawed and that it should be avoided? The answer to that isn’t as simple as you might think. Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.

And, besides:

TouchID is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.

Today, we have more sensitive data than ever before on our smart devices. To be honest, many of us should treat our smartphone like a credit card because you can perform many of the same financial transactions with it. Fingerprint security will help protect you against the three biggest threats facing smartphone users today:

The key here is that Touch ID is better than having no password/PIN at all, which is how a large percentage of iPhone users have their phones configured according to Apple (and my own anecdotal surveys). Security is not about absolutes. It is about incremental improvements over some other state or situation. To judge whether something is an improvement you first have to be clear on the state things are in and situation the enhancement is meant to address.

Calling something out as “insecure” is an empty statement that makes one sound self-important and does everyone a disservice. There may be valid security concerns – there always are – but they cannot be properly evaluated and the risks/rewards weighed without contextual information.

Touch ID makes a lot of sense given the context of 1 in 2 phone users having no PIN protecting their phone at all – and the modern smart phone being a portal to everybody’s email, financial, and on-line service accounts.

Basically the objective seems to have been: Come up with something that users who are not using PINs at all will use, and that is nearly as secure as having a PIN in nearly all scenarios of casual loss or theft.

It is not about coming up with something more secure than a PIN. It is about having something that is better than no PIN that a non-technical and non-security aware user will bother to use.

If an attacker wishes to target an individual user, there are far lower hanging fruit than stealing the victim’s phone and then reproducing their fingerprint1. Off the top of my head, you could look over the victim’s shoulder, social engineer them, steal their phone while it’s unlocked, go for their laptop instead, hack their email, intercept and do a man-in-the-middle attack on their unencrypted WiFi at their favorite coffee shop, or tens of other possibilities.2

But, remember, we’re generally not concerned about targeted attacks. That is, not for folks that don’t even have PINs on their phones. These folks are literally sitting ducks for casual-happenstance-completely-untargeted-attacks and the overall goal is to simply improve their overall security posture. That is, to reduce the quantity and shallowness of their “low hanging fruit.”

A targeted attack is always harder to protect against. But this is not what Touch ID is about.

The phrase “potential to be hacked” – which I’ve seen tossed around as a vague criticism for the Touch ID – is a ridiculous statement. Fort Knox can be hacked. So can your bank. It’s all a matter of degrees of effort (and risk) required by the perpetrator3.

There are some valid reasons for not using Touch ID, but those only apply to the non-average user. The Chaos Computer Club talks about some of them in the last couple of paragraphs of their original report on hacking the Touch ID. They are valid points, but have nothing to do with the 1 in 2 users who do not have any protection against even the most casual of attacks or accidents.

Touch ID’s greatest legacy – assuming it stands up to further scrutiny that permits it to stay more secure than the other low hanging fruit relevant to casual non-targeted attacks – may be getting more users to put even a minimal amount of tamper resistance on their phone.

“Tamper resistance”, incidentally, is probably a fairly appropriate phrase to use here, but no one other than power users and security engineers will understand why. Which is kind of the point: this isn’t about them. But this type of security enhancement does help them in their jobs, at least if they are responsible for any information assets that are accessed by those 1 in 2 iPhone users without PINs on their phone.

I will close with one final thought. It is possible that some people will start using Touch ID believing it is secure against attacks it is actually not effective against. This is always an issue. After all, even what is secure against certain attacks today may not be tomorrow, as more information and new techniques are developed.

This is why there are people like security engineers, IT professionals, developers, and manufacturers who stay abreast of new developments. It’s their job to research and assess these things – not their users/customers though that can be helpful too of course – and then to provide guidance or solutions that help push their users/customers forward, elevating everyone’s security posture.

What You’ll Find Here

I write about how business people, technologists, and others can improve their results with technology and do their best work.

I also write about freelancing, self-employment, productivity, and entrepreneurship.

These are all topics deeply relevant to my day-to-day activities and directly tied to my expertise and experiences.

You'll also find information on the various things I create -- such as special events for technologists, the consulting I do for individuals and organizations, and what resources are available for those who wish to go beyond what is on my blog, in my email postings, or in my letters.

Social List

Join My Private Mailing List

Like what you've seen?

As a first step, become a member of my private email list! I write about how business people and technologists can improve their results with technology and do their best work, along with sharing resources on leadership and productivity.

I will never share your email address with anyone else.

Email Address

Notable Quotes

"Juggling so many things" is something I constantly struggle with, and I am often surprised just how few things I should do if I want to make great progress on anything.

-- Joel Gascoigne (Founder & CEO of Buffer)

For a list of all the ways technology has failed to improve the quality of life, please press three.

About Me

I create and share solutions that help remarkable people (and the organizations they are a part of) improve their results and do their best work. I am the former CTO of an IT services provider. My career has been built around harnessing technology to achieve professional, personal, and organizational goals for myself and others. I now write, create, and consult full-time. I am married with one son. I love burritos & great beer. I am based on the beautiful California Central Coast.

Join My Private Mailing List

Like what you've seen?

As a first step, become a member of my private email list! I write about how business people and technologists can improve their results with technology and do their best work, along with sharing resources on leadership and productivity.